Valve: No, Our Gaming Anti-Cheat System Isn't Tracking Your Voracious Porn Habits
from the honesty-is-the-best-policy dept
Valve Software this week found themselves at the center of an Internet hissy fit after reports emerged claiming that the company was using their Valve Anti-Cheat System (VAC) to monitor the browsing activity of the company's user base. A Reddit post specifically claimed that Valve's VAC was digging through your DNS cache entries and sending the lot of them back to Valve servers hashed with md5. The post quickly escalated, with Reddit users suddenly jumping to the conclusion that Valve was just as bad as EA, and the company was covertly trying to monetize user browsing data using DNS records.The entire kerfuffle forced Valve CEO Gabe Newell out of his fantastic nerd fortress to provide what was an interesting bit of insight posted to Reddit on how the normally very hush-hush system works. Newell noted that the company normally doesn't talk much about VAC because it simply provides cheaters with more ammo to hack the system, but he explained VAC wasn't perusing and storing DNS records wholesale, it was looking for very specific "calls home" made by cheat software:
"VAC checked for the presence of (kernel-level paid cheats). If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result."According to Newell, this particular effort lasted all of thirteen days before cheat developers found a way around it. The CEO proceeded to note that highlighting how sneaky VAC is in a somewhat sinister light is a form of "social engineering" that's cheaper than trying to develop better cheats:
"Kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat creators than the economic benefits they can reasonably expect to gain. There is also a social engineering side to cheating, which is to attack people's trust in the system. If "Valve is evil - look they are tracking all of the websites you visit" is an idea that gets traction, then that is to the benefit of cheaters and cheat creators. VAC is inherently a scary looking piece of software, because it is trying to be obscure, it is going after code that is trying to attack it, and it is sneaky. For most cheat developers, social engineering might be a cheaper way to attack the system than continuing the code arms race, which means that there will be more Reddit posts trying to cast VAC in a sinister light."The CEO insists that the Half-Life developer is entirely uninterested in tracking your interest in busty vixens. While the cat and mouse aspect of the story was pretty fascinating to watch, it's also a nice, all-too-rare example of how quickly issuing a clean, honest statement without assuming your customers are stupid can completely defuse a public-relations minefield.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anti-cheat, gabe newell, steam, vac, video games
Companies: valve
Reader Comments
The First Word
“As a Single Player Hacker
I hack, but only my single player games.I am okay with the checking for hacks things, but I think a ban is overkill. not all hacks are malicious and there will always be someone who got banned because their stupid kids did it, or from a false positive.
The appropriate way to handle this is to place a tag on the account and game suspected of cheating on and letting people choose to reject connections with those flags set.
cheaters as well as non cheaters have a right to play the games they pay for, including playing with other cheaters if they desire. Allowing non cheaters to auto reject other suspected cheaters will have the desired effect without taking a cheaters games away.
Subscribe: RSS
View by: Time | Thread
Slashdot Anonymous Coward Response:
[ link to this | view in chronology ]
Re: Slashdot Anonymous Coward Response:
[ link to this | view in chronology ]
A whole lot of words to say nothing.
-
"The CEO insists that the Half-Life developer is entirely uninterested in tracking your interest"
The wolf insists he is uninterested in the contents of the hen house... of course he does.
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
[ link to this | view in chronology ]
Re: Re: A whole lot of words to say nothing.
[ link to this | view in chronology ]
Re: Re: A whole lot of words to say nothing.
Seriously I don't want a program like VAC poking around in my computer, if I ever buy a game from valve, ill probably have to run it virtualized.
[ link to this | view in chronology ]
Re: Re: Re: A whole lot of words to say nothing.
> this ugly little program can go crawling
> through your files, sending god knows what
> back to Valve
How is it that these commercial companies can routinely implement and distribute software that essentially 'hacks' the computers of every customer that uses it, but the moment any Average Joe even downloads 'too much' stuff from a web site that gives it away for free, he's suddenly facing 30 years in a federal ass-raping prison for violating the CFAA?
[ link to this | view in chronology ]
Re: Re: Re: A whole lot of words to say nothing.
[ link to this | view in chronology ]
Re: Re: Re: Re: A whole lot of words to say nothing.
According to them, they are looking in your DNS cache to see what domain names you've resolved lately. But that's overstating it -- they're taking hashes of those domain names and sending the hashes off to their server, where they're compared with a list of forbidden hashes.
It's actually a decent compromise, privacy-wise: it doesn't reveal to them what the domain names you resolved actually are, but lets them raise a flag if any of them match a "forbidden" list.
Nonetheless, this is pure spyware stuff. What they're doing is highly objectionable even if the data being transmitted poses minimal risk. I won't knowingly allow this sort of nonsense on my own machines.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: A whole lot of words to say nothing.
The fact that Gabe said that it does do some of the things that are mentioned is frightening. But he also (wisely, I might add) pointed out that, whilst that aspect of the code is frightening, that all people who wanted to weaken the VAC system had other motives, and the simplest way to do that was to misrepresent it. Which makes sense. And Gabe has earned a lot of trust.
So don't blow it, Gabe.
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
They could also decide tomorrow to scan the entire contents of your hard drive and send the information directly to Gabe to look over.
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
Anti-cheats need to be closed source to keep the armsrace up. Therefore all users have to trust them for it to work. Since it is easy to summon a shitstorm in todays society, maybe allowing unlimited cheating is the only way to go. Call me old-fashioned, but I hope it hasn't come to that... Yet!
[ link to this | view in chronology ]
Re: A whole lot of words to say nothing.
But he's also saying they're not actually sending the DNS data to their servers. They're sending a hash of it. Hashes can't be reversed -- if you have the hash, you can't recover the data that was hashed from it.
So, Valve doesn't ever actually receive your DNS entries, and you don't have to trust that they'll do something nefarious with them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Imagine your boss asked you to make sure that nobody can read the books they sell while making sure that everyone can read the books they sell. Unless you happen to already have a very Pointy Haired Boss (my condolences), you would think that they went utterly insane. This is essentially what DRM sets out to try to do. There is a reason they want anti-circumvention features. To try to enforce via law what is logically impossible.
[ link to this | view in chronology ]
There's a hidden assumption buried in there. If you don't think you are doing anything evil then a quick honest statement about what is really going on is the way to go.
But, if your intentions or actions are ... less than honorable....
Did the CEO take suggestions on how to identify and punish cheaters? Maybe someone can think of a better way that doesn't rely on obfuscation.
[ link to this | view in chronology ]
tarring your critics?
So, anyone who disagrees with him is obviously a cheater? How about someone who doesn't like finding out that their activity is being spied on outside of a game?
While I applaud Gabe for coming out with a human and straightforward response, he could have done so without trying to denigrate anyone who disagrees with him.
[ link to this | view in chronology ]
Re: tarring your critics?
[ link to this | view in chronology ]
Re: Re: tarring your critics?
Politician: We need to snoop on all your web browsing to catch paedophiles. Obviously paedophiles won't like this, so you will see some stories trying to cast this program in a sinister light.
NSA: We need to snoop on all your web browsing to catch terrorists. Obviously terrorists won't like this, so you will see some stories trying to cast this program in a sinister light.
Gabe: We need to snoop on all your web browsing to catch cheaters. Obviously cheaters won't like this, so you will see some stories trying to cast this program in a sinister light.
In each case they are pointing out that their objective is to catch bad people, which of course has to be a good thing. After all, bad people! So of course bad people won't like this and will write nasty things about the program. Think about that every time you see someone argue against this program, and think of the children(tm)!
And of course with the NSA this is happening at this moment - with David Miranda and Jesselyn Radack being treated as terrorists for opposing the NSA's anti-terrorist program, and politicians sparing no opportunity to attack Snowden, Greenwald et al.
Now I would reiterate that I think Gabe did the right thing in issuing a prompt response, and in a human manner rather than something tied up in lawyerese and PR-speak. I also trust Steam far more than I trust politicans/NSA and actually believe what he says.
I just think he could have ditched the line where he tried to associate anyone who disagreed with their browsing being spied on with cheaters.
I would point out that I do use Steam and am happy with the service they provide. I'm not going to stop as a result of this disclosure.
[ link to this | view in chronology ]
As a Single Player Hacker
I am okay with the checking for hacks things, but I think a ban is overkill. not all hacks are malicious and there will always be someone who got banned because their stupid kids did it, or from a false positive.
The appropriate way to handle this is to place a tag on the account and game suspected of cheating on and letting people choose to reject connections with those flags set.
cheaters as well as non cheaters have a right to play the games they pay for, including playing with other cheaters if they desire. Allowing non cheaters to auto reject other suspected cheaters will have the desired effect without taking a cheaters games away.
[ link to this | view in chronology ]
Re: As a Single Player Hacker
The only legitimate way around it is for the game developer to put cheats into the game that disable Achievements, etc, when turned on. So you could blame Valve, or the game devs, or both, I suppose.
[ link to this | view in chronology ]
Re: As a Single Player Hacker
[ link to this | view in chronology ]
Re: Re: As a Single Player Hacker
On the other hand, we bought all three gaming consoles last generation. I've been playing home video game consoles for literally over 40 years at this point, so not having a lot of access to the system software is something I've come to expect. But this time around, we'll have Steamboxes available as an option, and one of them might end up being our main console. In the world of gaming consoles, the Steambox is a huge step forward for openness -- arguably a bigger one than Ouya because Valve actually matters -- and I have an instant game collection of dozens of Humble Bundle purchases as soon as I request the keys, many of which I haven't played because I think they'd be better suited to a television and all 165 of which (and counting; they have a great bundle going as I type this) should be SteamOS compatible whether they're on Steam or not.
I won't be installing Steam on anything I use for normal computing tasks, though. Yay for Valve shaking up both the console and PC gaming markets, whether they succeed or not. Boo for Valve wanting to treat my laptop as though it's theirs and I'm just renting it. Windows and OSX/iOS users may be used to that stuff, but I like to own the computers I pay for.
[ link to this | view in chronology ]
Re: Re: As a Single Player Hacker
Correct.
[ link to this | view in chronology ]
Re: As a Single Player Hacker
[ link to this | view in chronology ]
Re: Re: As a Single Player Hacker
[ link to this | view in chronology ]
Re: As a Single Player Hacker
[ link to this | view in chronology ]
They can take that crap and shove it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Show me an alternative to Windows that can run all the same software, especially games, and I'll happily switch.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Chances are if you're cheating on a VAC enabled server, you're up to no good and have an unfair advantage.
If you are banned, you can still play on the (small number) of non-VAC enabled servers where everyone else is also hacking/cheating.
Also, false positives are rare, given the all too unique signature of cheats. Yes, many people have been banned and were innocent, but they were immediately unbanned when Valve figured out it was a false positive. Rarely are false positives 1 in a million either.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
DRM should never be trusted.
[ link to this | view in chronology ]
Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: DRM should never be trusted.
GOG can't sell many to most brand new games because apart from some indie devs the publishers won't put their games up for sale without DRM because they are all super paranoid. This is the market that steam is serving, steam's customers want DRM. It's the publisher's customers that hate it :)
[ link to this | view in chronology ]
Re: Re: Re: Re: DRM should never be trusted.
Yes, that was my point. And they are faring just fine - they are very profitable. I.e. there is no need to bend to unethical demands of lunatic publishers who insist on DRM, argumenting that with fear of not being profitable.
And about new games, the number of sane studios and publishers which don't use DRM grows and things slowly improve. But it's still a while until lunatic DRM Lysenkoists will become a minority.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: DRM should never be trusted.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: DRM should never be trusted.
That's not true. You can publish to Steam without DRM, and plenty of publishers have. These games can be launched from their executables without Steam needing to run. They don't use Steamworks or any third-party DRM.
Here is a list of games on Steam with no DRM at all, not even Steamworks.
[ link to this | view in chronology ]
VAC !== DRM
I remember the original Team Fortress mod for Quake 1, and when people would use cheat systems to be able to respawn by the enemy flag, or take extra damage. It made the game not fun at all. I'm glad there are systems like this in place, even though I don't play games so much any more.
[ link to this | view in chronology ]
Re: VAC !== DRM
[ link to this | view in chronology ]
Nice to see the honesty
[ link to this | view in chronology ]
Re: Nice to see the honesty
[ link to this | view in chronology ]
Re: Re: Nice to see the honesty
But I don't want to overstate this -- Although I think they're walking a thin line here, I'm not actually convinced that their actions could be termed anything like "evil." They've done this is a fairly decent way, and I won't condemn them for it.
I'm just personally not comfortable with it.
[ link to this | view in chronology ]
Re: Nice to see the honesty
[ link to this | view in chronology ]
Re: Re: Nice to see the honesty
I don't trust any of them enough to be comfortable with them. Steam is an exception purely for reasons of tradition: I was using Steam from the very first day, back when I was a touch more innocent and less suspicious. I recognize the irrationality of this exception, and so it didn't take much to sour me on Steam.
[ link to this | view in chronology ]
Re: Nice to see the honesty
[ link to this | view in chronology ]
Pretty suspicious if you ask me...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If VAC is Evil, Gamers do what? Demand less security??
While this explanation sounds legitimate on the surface, I would like to know exactly how "social engineering" - ie making folks distrust VAC and Valve via scare stories about snooping on clients habits, is in any way effective in making cheating easier, or in making cheat coding easier or more effective for the cheaters.
Its not as if the non-cheating gamers are going to go elsewhere to play where security is less stringent, or demand that VAC be made less effective against cheaters.
The users of these anti-cheat policing system game-shops have no say whatsoever in how the security wares operate - I would guess that most of the users are unaware of the anti-cheat system software altogether, or at least are generally unconcerned about it.
How would attacking people's trust in the system make it easier to cheat the system, or easier to write better cheat codes to game the system??
I just don't see the connection that Newell is trying to make here, nor does he spell it out at all in his post. He simply makes the claim and leaves it at that.
[ link to this | view in chronology ]